Identity solutions provider Okta said this week that the hack of its customer support management system disclosed in October impacted many more of its customers than previously thought, but did not impact its FedRAMP High and Defense Department IL4 environments used by the Federal government.
On Oct. 20, the company disclosed “adversarial activity that leveraged access to a stolen credential to access Okta’s support case management system.”
As a result, the company said in October, “the threat actor was able to view files uploaded by certain Okta customers as part of recent support cases.” It added that “the Okta support case management system is separate from the production Okta service, which is fully operational and has not been impacted,” and that it’s Auth0/CIC case management system also was not impacted.
In a Nov. 29 update, Okta said it reexamined the hacker’s actions and downloads, and found that “the threat actor ran and downloaded a report that contained the names and email addresses of all Okta customer support system users.”
“All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor),” the company said in the Nov. 29 update.
“The Auth0/CIC support case management system was also not impacted by this incident,” it added.
Pointing to a report that the hacker compiled on Sept. 28 featuring data fields for each user of Okta’s customer support system, the company said, “the majority of the fields in the report are blank and the report does not include user credentials or sensitive personal data.”
“For 99.6 percent of users in the report, the only contact information recorded is full name and email address,” the company said.
The end result, Okta warned, is an increased risk of phishing attacks.
“While we do not have direct knowledge or evidence that this information is being actively exploited, there is a possibility that the threat actor may use this information to target Okta customers via phishing or social engineering attacks,” the company said.
“Okta customers sign-in to Okta’s customer support system with the same accounts they use in their own Okta org. Many users of the customer support system are Okta administrators,” it said. “It is critical that these users have multi-factor authentication (MFA) enrolled to protect not only the customer support system, but also to secure access to their Okta admin console(s).”
“Given that names and email addresses were downloaded, we assess that there is an increased risk of phishing and social engineering attacks directed at these users,” the company said.
“While 94% of Okta customers already require MFA for their administrators, we recommend ALL Okta customers employ MFA and consider the use of phishing resistant authenticators to further enhance their security,” Okta said.
